Ransomware Resiliency by Design
Design defences against the most financially devastating cyberattack. Learn Microsoft's ransomware best practices, attack patterns, and how architects build resilient security architectures.
Why architects must design for ransomware
Ransomware is a house fire for your digital assets.
You can’t just install a smoke detector and hope for the best. A good architect designs the building so fire can’t spread — firebreaks between floors, sprinkler systems, multiple exits, and backup plans for when things go wrong despite your best efforts.
Ransomware resiliency works the same way. You design your environment so that even if an attacker gets in and encrypts some systems, the damage is contained, backups are untouched, and recovery is measured in hours — not weeks.
The SC-100 exam tests whether you can design this resilience before the attack, not just respond to it afterwards.
The ransomware attack lifecycle
Modern ransomware attacks follow a predictable pattern. Understanding this lifecycle helps architects design defences at each stage:
| Phase | What Attackers Do | Time Frame | Architect’s Defence |
|---|---|---|---|
| Initial access | Phishing, exploiting public-facing apps, compromised credentials | Day 1 | MFA, Conditional Access, attack surface reduction, patching |
| Persistence | Install backdoors, create accounts, disable security tools | Days 1-3 | Endpoint detection (EDR), tamper protection, monitoring |
| Privilege escalation | Steal credentials, exploit misconfigurations, move laterally | Days 3-14 | Least privilege, PIM, network segmentation, credential hygiene |
| Reconnaissance | Map the network, identify crown jewels, find backup systems | Days 7-21 | Microsegmentation, deception technology, audit logging |
| Data exfiltration | Copy sensitive data for double extortion | Days 14-28 | DLP, network monitoring, egress filtering |
| Encryption | Deploy ransomware across all accessible systems simultaneously | Day 28+ | Backup isolation, immutable storage, rapid recovery plans |
Exam tip: Human-operated vs automated ransomware
The exam distinguishes between automated ransomware (commodity malware that spreads indiscriminately) and human-operated ransomware (HumOR) (targeted attacks with living-off-the-land techniques).
HumOR is far more dangerous because attackers:
- Adapt to your defences in real-time
- Specifically target backup infrastructure
- Exfiltrate data before encryption (double extortion)
- Use legitimate admin tools (PowerShell, RDP, PsExec) making detection harder
If an exam question mentions “advanced persistent threat,” “targeted attack,” or “weeks of attacker activity,” think HumOR — and design for all three phases, not just prevention.
🌐 Scenario: Elena faces the board
After a competitor suffers a ransomware attack that shuts down manufacturing for three weeks, Meridian Global’s board asks Dr. Elena Vasquez: “Could this happen to us?”
Elena doesn’t answer with product names. She walks the board through Meridian’s defence at each phase:
- Initial access: MFA enforced for all users, Conditional Access blocks legacy authentication, Defender for Office 365 filters phishing
- Privilege escalation: PIM activated for all admin roles, lateral movement limited by network segmentation
- Backup protection: Backups are in an isolated subscription with separate admin credentials and immutable storage
- Recovery: Tested quarterly, target recovery time is 8 hours for critical systems
Marcus Chen, the board chair, asks: “What’s our worst case?” Elena is honest: “If an attacker gets past MFA with a token theft attack, our segmentation limits them to one zone. We lose hours of data in that zone, not weeks across the company. And we can recover because our backups are untouchable.”
This is architect thinking — connecting technical controls to business outcomes that the board understands.
Microsoft’s three-phase ransomware framework
Phase 1: Prepare — reduce the attack surface
| Control | What It Does | Microsoft Technology |
|---|---|---|
| Enforce MFA everywhere | Blocks 99.9% of credential-based attacks | Entra ID, Conditional Access |
| Eliminate legacy authentication | Removes protocols that can’t use MFA (SMTP, IMAP, POP) | Conditional Access block policy |
| Apply attack surface reduction (ASR) | Blocks common malware execution techniques | Defender for Endpoint ASR rules |
| Patch promptly | Closes known vulnerabilities before exploitation | Windows Update for Business, Defender Vulnerability Management |
| Harden internet-facing services | Reduce exposure of RDP, SMB, VPN portals | Azure Bastion, just-in-time VM access, private endpoints |
Phase 2: Limit — contain the blast radius
| Control | What It Does | Microsoft Technology |
|---|---|---|
| Segment the network | Prevent lateral movement between zones | NSGs, Azure Firewall, microsegmentation |
| Enforce least privilege | Admin accounts only have access when activated | PIM (just-in-time), tiered admin model |
| Protect credentials | Prevent credential theft and reuse | Credential Guard, LAPS, Defender for Identity |
| Enable tamper protection | Prevent attackers from disabling security tools | Defender for Endpoint tamper protection |
| Monitor for lateral movement | Detect attacker movement between systems | Defender for Identity, Sentinel analytics rules |
Phase 3: Recover — restore from protected backups
| Control | What It Does | Microsoft Technology |
|---|---|---|
| Isolate backup infrastructure | Prevent attackers from reaching backups | Separate subscription, separate admin accounts |
| Use immutable storage | Backups cannot be modified or deleted for a defined period | Azure Backup immutable vaults, blob versioning with legal hold |
| Test recovery regularly | Verify backups actually work when needed | Scheduled recovery drills, documented RTO/RPO |
| Protect backup credentials | Backup admin accounts use separate identities | Dedicated Entra accounts, MFA, no email access |
| Aspect | Traditional Backup | Ransomware-Resilient Backup |
|---|---|---|
| Backup location | Same network as production systems | Isolated subscription with separate admin credentials |
| Backup mutability | Can be modified or deleted by any admin | Immutable storage — cannot be changed for retention period |
| Admin accounts | Same admin accounts manage backup and production | Dedicated backup admin accounts with separate MFA |
| Recovery testing | Tested annually (if at all) | Tested quarterly with documented results |
| Ransomware protection | Backups encrypted along with production data | Backups survive even if production is fully compromised |
Security updates management
Unpatched systems are one of the most common initial access vectors for ransomware. The architect designs an update strategy that balances speed with stability:
| Update Category | Target Timeline | Strategy |
|---|---|---|
| Critical / zero-day | Within 24-48 hours | Emergency patching, automated deployment to high-risk systems |
| Security updates | Within 14 days | Phased deployment: ring 0 (test) → ring 1 (pilot) → ring 2 (production) |
| Feature updates | Within 30 days | Compatibility testing, user communication, phased rollout |
| Firmware and drivers | Within 30 days | Vendor-coordinated, tested on reference hardware first |
Exam tip: Patching trade-offs
The exam may present scenarios where patching conflicts with business operations — a manufacturing line that can’t reboot, a financial system in a trading window, or a healthcare system mid-procedure.
The architect’s answer is never “don’t patch.” It’s “design the system so patching doesn’t require downtime” — rolling updates, blue-green deployments, maintenance windows, compensating controls (enhanced monitoring) during the patching gap.
If a question asks about OT/SCADA systems that truly cannot be patched, the architect designs compensating controls: network isolation, virtual patching (IPS rules), enhanced monitoring, and reduced exposure.
🏛️ Scenario: Commander Torres's patching dilemma
Commander Aiden Torres at the Department of Federal Systems has 2,000 Windows servers and 50 legacy OT systems running SCADA software from 2015. The SCADA vendor does not support the latest OS patches.
Torres designs a tiered approach:
- IT systems (2,000 servers): Windows Update for Business with 3 deployment rings. Critical patches within 48 hours on ring 0. Specialist Diaz manages the deployment rings from the field.
- OT systems (50 SCADA): Network-isolated in dedicated VLANs with no internet access. Virtual patching via Defender for IoT. Enhanced monitoring via dedicated Sentinel workspace. Quarterly vendor coordination for approved patches.
Colonel Reeves asks: “Can we guarantee the SCADA systems won’t be compromised?” Torres responds: “We can’t patch them, so we isolate them. If an attacker reaches the SCADA VLAN, they had to breach three network boundaries — and we’d see it in Sentinel long before they arrive.”
This is the architect’s balance — rapid patching where possible, compensating controls where it isn’t.
Ransomware resiliency as architecture
The key insight for SC-100: ransomware resiliency isn’t a product or a process — it’s an architectural property. You design it into the environment:
| Architectural Decision | Resiliency Benefit |
|---|---|
| Microsegmentation | Attacker can’t move from compromised system to crown jewels |
| JIT admin access | No standing privileges for attackers to exploit |
| Immutable backups | Recovery is guaranteed even if everything else is encrypted |
| Separate admin identities | Compromising a user account doesn’t give access to infrastructure |
| Automated detection | Lateral movement detected in minutes, not weeks |
| Tested recovery plans | Recovery time is predictable, not a crisis discovery |
🎬 Video coming soon
Key takeaways
Knowledge check
Elena discovers that Meridian Global's backup infrastructure uses the same admin accounts as production systems. If an attacker compromises a production admin account, they could also delete backups. What should Elena recommend?
A cybersecurity architect is designing ransomware defences for a manufacturing company. Which combination of controls best addresses all three phases (prepare, limit, recover)?
Commander Torres has 50 OT/SCADA systems running legacy software that the vendor will not patch. The systems control critical infrastructure. Which approach aligns with Microsoft's security update best practices?
Next up: Backup, Recovery, and Business Continuity — deep dive into designing backup strategies, data retention policies, and business continuity architecture.